SecAppDev 2024 workshop details
Navigating the 2021 OWASP Top Ten for web security
Learning goal: Participants will master the OWASP Top 10 2021, learning to identify, understand, and mitigate the most critical web application security risks, thereby enhancing their secure coding skills.
Friday June 7th, 09:00 - 17:30
Room West Wing
Abstract
This workshop offers a deep dive into the OWASP Top 10 2021, essential for web developers and security professionals aiming to master secure coding practices. It elucidates the critical web application security risks, fostering a comprehensive understanding and implementation of defensive programming. Attendees will gain insights into the most prevalent security threats and the methodologies to mitigate them, ensuring the development of secure and resilient web applications.
Content overview
- Introduction to OWASP Top 10 2021
- A01: Broken Access Control
- A02: Cryptographic Failure
- A03: Injection
- A04: Insecure Design
- A05: Security Misconfiguration
- A06: Vulnerable and Outdated Components
- A07: Identification and Authentication Failures
- A08: Software and Data Integrity Failures
- A09: Security Logging and Monitoring Failure
- A10: Server-Side Request Forgery (SSRF)
- Defense strategies for each risk
- Cultivating a security-minded development culture
Content level
Introductory
Target audience
Web developers, security professionals, and anyone interested in web application security looking to deepen their understanding of secure coding practices should attend.
Prerequisites
Basic understanding of web development principles and familiarity with common security concepts are recommended.
Technical requirements
Just a laptop and eagerness to learn and participate
Other workshops
WAF Whirlwind Tour - A one day introduction to OWASP ModSecurity and OWASP CRS
One-day workshop by Christian Folini in room Lemaire
Thursday June 6th, 09:00 - 17:30
The OWASP ModSecurity WAF engine and it's rule set counterpart OWASP CRS is the dominant team in the WAF world. Most commercial products are based on CRS and very often also ModSecurity. The key characteristic is the high detection rate and the transparency of the rule set. The generic nature of the rule set also comes with a painful downside: false positives.
In this one day workshop, we will look into the configuration of the WAF, we will write a few rules and we will namely fight false positives. The workshop is all you need to understand the basics and to get you started with WAF.
Learning goal: This workshop aims to equip participants with the skills to perform basic WAF configuration, write and read simple ModSecurity rules, and handle false positives.
Bulletproof APIs: Hands-On API Security
One-day workshop by Philippe De Ryck in room West Wing
Thursday June 6th, 09:00 - 17:30
As APIs become a big part of our tech world, making sure they're secure is key. The 2023 version of the OWASP API Security top 10 shows us that API security needs our attention. Building secure APIs requires developers and architects to really get API security, from the big picture down to the nitty-gritty details.
This workshop will teach you the skills you need! We're going to think like an attacker to test APIs and like a defender to figure out the best ways to protect them. With lectures, real-world demos, fun quizzes, and hands-on labs, you'll learn how to secure your APIs.
Learning goal: Gain hands-on security strategies for APIs, understand the root causes of threats, and learn to implement effective solutions. Master best practices and leave with a checklist to enhance your application's security.
Externalizing authorization in a diverse application landscape using OPA
One-day workshop by Michael Boeynaems and Jasper Rots in room Lemaire
Friday June 7th, 09:00 - 17:30
This hands-on, interactive training will teach participants how their applications can benefit from external authorization and how they can implement this using Open Policy Agent (OPA), a modern solution to realize the PIP-PAP-PEP-PDP model and an accessible alternative to XACML-based solutions. OPA is application agnostic and allows writing policies as code in the Rego policy language. Through this policy engine, participants will learn how to manage access away from their applications, which will help them to address the current number one risk of the OWASP Top 10: Broken Access Control.
Learning goal: Participants will understand the benefits of externalizing authorization and will be able to do so in practice, while at the same time understanding the limitations of such an architecture.